Brazilian World Cup Related Targeted Attack 

06-10-2010 11:40 AM

On behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services

Beginning on 02 June 2010 MessageLabs Intelligence identified a run of 45 targeted malware emails intercepted in route to a number of Brazilian companies, including chemical, manufacturing, and finance firms. This social engineering attack exploits the excitement surrounding the 2010 World Cup in South Africa to prompt the recipients to take actions which may compromise their systems and corporate information.

One particularly interesting element of this targeted attack is the use of two attack modes, a PDF attachment and a malicious link.
The email was spoofed from a well-known sportswear manufacturer, using the manufacturer’s domain and was sent from a server hosting company in Brazil. The manufacturer being spoofed is a sponsor of the FIFA World Cup which adds validity to the attack.

The recipients appear to be executives and managers at the targeted firms.

The subject line of the attack roughly translates to “If Brazil wins You also gain!” and the text in the body of the email says “Check by clicking on the ball!” above and “And see the catalogue of bonuses!” underneath the picture of the football.
Dual malware attack modes

To increase the chance of a successful attack the attackers include both a malicious PDF attachment and a link back to their server which can result in downloaded malware. The inclusion of two methods of attack means that even if the PDF is removed as suspicious by an anti-virus gateway, the malicious link remains in the body of the email and may still be delivered to the recipient. This is because many email filtering systems are configured to simply remove or clean viral attachments, and will often allow the “cleaned” email to be delivered to the recipient, in this case with the malicious link still intact.

In this case the attackers are not using one of the free webmail services which have become a common approach. The reason for this potentially lies in the malware that is being used in this case; this isn’t a typical backdoor Trojan being deployed.  It is actually an off-the-shelf botnet virus called “SpyEye” (more information here: and
The use of SpyEye is an interesting choice since roughly $1,000 (USD) will purchase a custom-built executable from an underground network that may be used to create a highly specialized botnet. This type of off-the-shelf botnet malware is frequently distributed in much larger volumes, being sent to as many people as possible, in order to grow the botnet as quickly as possible. In this case SpyEye was used in a targeted manner, potentially to take advantage of SpyEye’s ability to steal credit card numbers.

Let’s take a closer look at the PDF exploit being used…
The exploit being used in the PDF is CVE-2010-0188 ( which, at the moment, is particularly favored by distributors of targeted malware designed to exploit PDF’s. This exploit has been used in a large number of targeted attacks over the past month.

As you can see from the exploit used in this attack (above), it is used to download a further executable.

Now let’s take a closer look at that malicious link…
Firstly, it’s important to note that this is more than just a simple link to an executable that must be first downloaded before it can be installed. Many companies routinely block links to executable files, and acceptable usage policies tend to disallow the download and installation of non-corporate or unlicensed software.
So if the recipient were to click on the link, they would be taken to:
            hxxp://[address removed]/iem/link.php?M=49170&N=14&L=2&F=H.
This site is just a redirect, which takes the visitor to another site again, as seen in the TCP stream capture below.

The final destination, seeks permission from the user to install an ActiveX control, as can be seen in the screenshot below:

The code behind this page is actually rather interesting, as we can see here in the next image.

Initially it appears to be a rather simple page, where the first link is a piece of legitimate ActiveX software that functions as a downloader component. IP address in the link is the same one that was used in the PDF earlier, and it is passed to the ActiveX program, which will automatically download and install the program it points to, as we can see if we follow the process through in the next image.

Once the software has completed the install procedure, the web page reloads itself, and the website doesn’t do anything further at all, perhaps leaving the user feeling rather bewildered. The image displayed is linked from another unrelated website and its only purpose if to look interesting and relevant.

At this stage, the output.exe executable has been downloaded, executed and installed. The malware probes the botnet’s command and control channel, notifying the controller that that the infected machine is online and contactable. By this stage the recipient is likely to have their computer under the full control of the attackers to use for whatever purpose or intent they had in mind.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.